Anti-Bot

What Is F5 Shape Security?

What Is F5 Shape Security? — conceptual illustration
On this page

F5 Shape Security is the most sophisticated anti-bot product on the market — F5 paid $1 billion to acquire Shape in 2020 and the price reflects what it does. Shape runs a custom JavaScript virtual machine in the browser. The bytecode executing in your scraper is not standard JavaScript — it is a proprietary instruction set, regenerated with each deployment, that cannot be reverse-engineered with standard tooling. Session tokens (reese84) expire in minutes. For production scraping at scale, the engineering cost of maintaining a DIY bypass exceeds the cost of Bright Data's or Zyte's managed API within weeks.

Quick facts

Acquisition$1B by F5 Networks (2020)
Token cookiesreese84, TS*, $rsc= URL params
Token expiryMinutes — tight rotation cadence
ArchitectureCustom JS VM with proprietary bytecode
DIY viabilityNone at scale — use managed API

Why Shape is different

Most anti-bots ship obfuscated but still standard JavaScript. Shape ships a JavaScript program that interprets a custom bytecode language. Your browser downloads the bytecode and the interpreter; the interpreter executes operations that do not correspond to any standard JS API. Even with Wireshark, mitmproxy, and a deobfuscator, you cannot just "read the source" — there is no source in any conventional sense.

The challenge payload is regenerated on every rotation. The bytecode produced this hour does not match the bytecode produced last hour. Even a successful reverse-engineering effort decays within days.

The two viable strategies

1. Check the mobile app first — always. Shape is typically deployed only on the web frontend. The same brand's iOS or Android app often hits a completely separate API with no Shape protection, only basic Bearer-token auth. Intercept the mobile API with HTTPToolkit or mitmproxy on a rooted Android emulator, find the JSON endpoint, then replicate it with curl_cffi + residential proxies. Works on roughly 60% of Shape-protected sites.

2. Use a managed scraping API. For the remaining 40%, DIY is economically irrational. Benchmarked success rates (Scrape.do 2025): Bright Data Web Unlocker 98.44%, Zyte 93.14%. A managed provider handles the VM, the residential proxies, and the token rotation transparently.

The economic threshold

A senior scraping engineer costs roughly $700–1,500/day fully loaded. Bright Data Web Unlocker is around $3 per 1,000 successful requests; Scrappey full-browser tier is €1.00 per 1,000. The math almost always favors the API once Shape is in the picture. The break-even point: any project where Shape maintenance exceeds two engineer-days per month should switch to a managed provider for the Shape-protected portion specifically.

If session pooling matters and you must DIY: keep reese84 tokens alive for their full validity window (a few minutes), pool browser contexts for short bursts of related requests, and never share a token across IPs.

Code example

python
# Step 1: try the mobile API first. Most Shape sites only protect the web.
# Use HTTPToolkit on a rooted Android emulator to capture the mobile request,
# then replay with curl_cffi:

from curl_cffi import requests

r = requests.get(
    "https://api.brand.com/v2/products",
    impersonate="chrome131",
    headers={
        "Authorization": "Bearer <token from mobile app>",
        "X-App-Version": "4.2.1",
    },
    proxies={"https": "http://user:pass@residential:port"},
)
print(r.status_code, r.json())  # often 200, no Shape, no reese84

Related terms

What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Mobile API Scraping?
Mobile API scraping is the technique of intercepting traffic between a vendor's mobile app and its backend, then replicating those API calls…
What Is a Residential Proxy?
A residential proxy routes your HTTP traffic through a real residential internet connection — a home broadband or fiber line — instead of th…
What Is a Web Scraping API?
A web scraping API is a managed HTTP service that fetches a target URL on your behalf and returns the rendered HTML, JSON, or parsed data. I…
Anti-Bot Vendor Detection Cheatsheet
The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…
What Is Browser Extension Detection?
Browser extension detection infers which extensions are installed by probing for the resources and side effects they expose to web pages. Ex…
What Is Anubis (Anti-AI-Scraper Firewall)?
Anubis is an open-source MIT-licensed reverse proxy that issues a SHA-256 proof-of-work challenge before serving HTTP requests, built specif…

Concept map

How F5 Shape Security connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

Why is Shape so much harder than Cloudflare or Akamai?

Because the challenge runs inside a proprietary virtual machine. Cloudflare and Akamai ship obfuscated standard JavaScript that can eventually be reverse-engineered. Shape ships bytecode for a private instruction set, regenerated every rotation. The reverse-engineering cycle never converges.

Can curl_cffi bypass Shape?

For Shape-protected XHR endpoints, no — the JS VM must execute and produce reese84 before any protected request is honoured, and curl_cffi does not run JavaScript. For Shape-protected pages where the data is in the initial HTML (rare), it can work. Always check for a mobile API first.

How long do reese84 tokens last?

Typically a few minutes. Even a successful bypass needs to re-solve the challenge frequently, which means even working DIY solutions burn high overhead. Session pooling can amortise the cost across a small burst of requests.

What sites use F5 Shape?

Major US banks, airlines, ticketing platforms, and retailers — the kinds of customers willing to pay enterprise-tier anti-bot pricing. Public lists are not maintained, but cookie inspection (look for reese84 or TS* in dev tools) is the fastest way to confirm.

Last updated: 2026-05-26